Industry - Enforcement
Executive Summary
South Korea's Personal Information Protection Commission fined e-commerce giant Coupang approximately 623 billion won for a data breach that exposed personal information of 37.55 million people through a former employee's exploitation of authentication credentials, and for unlawfully collecting online browsing data from 11.17 million users without consent through its advertising business. Coupang's subsidiary received an additional 248 million won fine for misusing employee weight data from h...
What Happened
South Korea's Personal Information Protection Commission fined e-commerce company Coupang approximately 623 billion won (South Korean currency) on June 12, 2026, for two major violations. A former employee exploited authentication credentials due to inadequate security management, resulting in a data breach that exposed personal information of approximately 37.55 million people. Additionally, Coupang unlawfully collected third-party online browsing records of approximately 11.17 million users through its Coupang Partners advertising business without obtaining their consent. Coupang's subsidiary, Coupang Fulfillment Service, received a separate fine of 248 million won for misusing employee weight data that was collected for health management purposes during industrial accident litigation...
Who Is Affected
Approximately 37.55 million individuals had their personal data exposed through the data breach caused by the former employee's unauthorized access. An additional 11.17 million users had their online browsing activity tracked and collected without consent through Coupang's advertising operations. Coupang employees whose health-related weight data was repurposed for litigation without authorization, and 71 National Police Agency press corps journalists allegedly placed on an employment blacklist by the subsidiary company, were also affected.
Why It Matters
This enforcement action represents one of the largest privacy fines in South Korean history, demonstrating regulatory willingness to impose substantial financial penalties for data protection failures at scale. The case highlights critical failures across multiple privacy domains: inadequate access controls enabling insider threats, unauthorized tracking for advertising purposes, and inappropriate repurposing of employee health data. The scale of impact - nearly 50 million individuals across the two main violations - underscores how poor data governance at major e-commerce platforms can create systemic privacy risks affecting substantial portions of a country's population.
What You Should Do
If you are a Coupang user or were a user during 2025, monitor your accounts for unauthorized activity and consider changing passwords and enabling two-factor authentication on your account and any services where you reused credentials. Review your financial statements and credit reports for signs of identity theft or fraud, as personal information exposure can enable such activities. If you used Coupang's platform for browsing or shopping, be aware that your online activity may have been collected without consent and consider adjusting privacy settings on current accounts or requesting data deletion under applicable privacy rights. South Korean consumers can file complaints with the Personal Information Protection Commission if they believe their data was misused or if they experience r...
Summary generated from verified sources and reviewed before publication. How we summarize.